AWS Cognito

An example of how to generate access keys and JWKS URI For AWS Cognito is here-

AWS Cognito provides two main components: User Pools and Identity Pools. User Pools are user directories that provide sign-up and sign-in options for app users. Identity Pools, on the other hand, grant AWS credentials to users so they can access other AWS services.

Steps to Generate Access Keys with AWS Cognito:

Create a User Pool:

Go to the AWS Management Console.
Navigate to the Cognito service.
Click on “Manage User Pools” and then “Create a User Pool”.
Name your user pool and configure the required options such as attributes and policies.

Create an App Client:

Within the user pool dashboard, select “App clients” under the General settings.
Click “Add an app client”, provide a name, and configure settings. Ensure you uncheck “Generate client secret” if your client is public (such as a mobile or frontend application).
Save the app client to generate an App Client ID.

Configure App Client Settings:

In the App client settings under the App integration section, configure the authentication providers and callback URLs for your application.

Create an Identity Pool:

Go back to the main page of the Cognito service.
Select “Manage Identity Pools” and create a new identity pool.
Give your identity pool a name and check “Enable access to unauthenticated identities” if you want to allow unauthenticated access.
Associate the identity pool with your user pool by selecting the Cognito User Pool as the authentication provider and inputting the User Pool ID and App Client ID.

Obtain AWS Credentials:

Once the identity pool is created, it will provide you with an Identity Pool ID.
Configure roles in IAM (Identity and Access Management) for authenticated and unauthenticated users, which define permissions for accessing AWS services.
AWS credentials (Access Key ID and Secret Access Key) are then automatically managed by Cognito, and users authenticated by Cognito can obtain temporary AWS credentials via the identity pool.

Using the Keys

When a user logs in via Cognito, AWS Cognito handles the generation and renewal of these temporary AWS credentials, which the application can then use to access other AWS services on behalf of the user. You just have to add the access key on your auth secret in cosmocloud!

Getting JWKS URI

To generate a JWKS (JSON Web Key Set) URI in AWS Cognito, you follow a straightforward process, mostly involving the setup of a Cognito User Pool. AWS Cognito automatically creates a JWKS URI for each User Pool, which contains the public keys used to verify the signatures of the tokens issued by Cognito.

Follow the same step #1 to create a user pool.

Once your User Pool is set up:

Go to the User Pool you have created.
Navigate to the App integration section and then click on App client settings.
In the App client settings, you’ll find a section or note about the identity providers being used and their associated URLs. Here, AWS provides the domain linked to your User Pool.

If your User Pool ID is us-east-1_abcdef, and your AWS region is us-east-1, then your JWKS URI will be:

This URI provides a JSON document containing the public keys that your client applications or servers can use to verify the signatures of JSON Web Tokens (JWTs) provided by AWS Cognito as part of the authentication process. These keys rotate periodically as AWS updates them, and your applications should always retrieve the JWKS dynamically to ensure verification against the current key set.

PreviousSSO Providers NextAuthentication Concepts

Last updated 1 year ago